Knock-on Effects Of Software Dev Break-in Hit Schools Trust

A major UK education trust has warned staff that their personal information may have been compromised following a cyberattack on software developer Intradev in August.

Affinity Learning Partnership, which operates seven schools and employs more than 650 staff members, sent notifications to affected employees after learning of the breach through one of its service providers, Single Central Record Ltd (also known as OnlineSCR). The trust's schools educate approximately 3,000 children and young people aged 3 to 19.

Affinity Learning Partnership sent a message to affected employees, seen by The Register, cautioning that their data might have been leaked:

The breach originated with Hull-based software development company Intradev, which, as The Register exclusively revealed last month, detected a digital break-in on August 4. One of its customers, Access Personal Checking Services (APCS), a provider of criminal record checks for employers, warned its customers of potential data exposure.

OnlineSCR, which is a sister company to APCS, specializes in recruitment and Disclosure and Barring Service (DBS) checks for UK schools, making it a repository for highly sensitive staff information including names, addresses, and background check details. It was also using Intradev's services for critical education sector functions.

Intradev previously confirmed to The Reg that it was "conducting a detailed investigation into the incident, including a review of the affected files and systems." The firm writes bespoke software for clients.

According to sources close to Affinity, some staff members have had basic details like surnames leaked, while others face far more serious exposure including passport numbers, driving license details, and National Insurance numbers.

The letter from Affinity added: "We understand that some of you may wish/be advised to replace your driving licence or passport, although guidance from the Information Commissioner's Officer (ICO) is that this is not necessarily required."

• Stolen OAuth tokens expose Palo Alto customer data
• UK government dragged for incomplete security reforms after Afghan leak fallout
• SK Telecom walloped with $97M fine after schoolkid security blunders let attackers run riot
• Criminal background checker APCS faces data breach

The Register has repeatedly asked Affinity Learning Partnership and OnlineSCR for comment.

According to a blog post from lawyer Browne Jackson: "We understand that a data processor used by Online SCR in the provision of this service suffered a recent cyberattack which has resulted in the personal data being compromised for staff at some of the schools and trusts which use Online SCR.

"The extent of the data compromised varies from school to school, but can include names, addresses and QTS number, as well as higher risk data such as passport numbers and National Insurance numbers."

This incident highlights the ongoing cybersecurity challenges facing UK education institutions. Schools and trusts often become attractive targets for cybercriminals due to their combination of valuable personal data and typically limited IT security budgets.

The breach also demonstrates how third-party service providers can create unexpected security risks, even for organizations that may have robust direct security measures.

Affinity has tried to protect affected staff by offering two years of CIFAS protective registration. The service means any organization using the CIFAS fraud prevention database will conduct additional identity verification checks before processing applications in the affected individuals' names.

The Register also contacted the ICO and will update this article when it finally responds. ®